Report names top threats to campus networks

By Dennis Carter, Assistant Editor

December 10th, 2009

Eight out of 10 colleges included in a recent study were deemed vulnerable to cyber attacks that could cost IT departments thousands of dollars, highlighting the security downfalls of decentralized campus networks with little interconnectedness.

WhiteHat Security, a California-based web site risk management company founded by a former Yahoo information security officer, published a white paper last month saying that 83 percent of educational sites managed by the company are susceptible to viruses, hackers, and other security breaches.

The white paper is the eighth in a quarterly series that examines web site security statistics.

WhiteHat’s analysis is the latest national report to suggest that higher education’s decentralized IT networks create a challenge for technology officials in safeguarding the dozens of various web sites maintained on campus—making colleges and universities an attractive setting for internet hackers trolling for personal information.

Social networking web sites aren’t the only sites more vulnerable to cyber attacks, according to the white paper. The analysis included likely reasons for college networks’ vulnerability.

Cross-site scripting, which often contains "malware-laced … web worms," allows web attackers to bypass a computer’s access controls. The impact can be minor if the hacked web site does not contain sensitive information.

University networks, though, are jam-packed with personal data, such as students’ IDs and Social Security numbers. Cross-site scripting in a school’s site can leave student and faculty information open to anonymous attackers.

Content spoofing is another common tool used by internet hackers, according to the WhiteHat white paper.

Web users receive a link that transfers to a screen instructing them to type in a user name and password. These sites are often hosted with interfaces that mimic a legitimate campus site, making it difficult for users to tell that they are on a fraudulent site designed specifically to steal their personal information.

"Decentralization translates into a lack of control in respect to security," said Stephanie Fohn, WhiteHat’s chief executive officer. "People pretty much do their own thing … and often the university will then try to institute global policies after the fact, but it is very difficult to enforce those."

Information leakage also has posed a persistent threat to campus computer security, according to the report. The leakage occurs when a campus web site "knowingly or unknowingly" reveals software version numbers, error messages, developer comments, source code, and internal IP addresses. A hacker can use any of this information to compromise campus networks.

Shannon Ortiz, director of IT security at Fordham University in New York, said relying on automated machine-run scans of a college’s massive network can produce false positives—a series of warnings that might not be harmful to campus computers—while destructive malware lurks in the background, slowing down internet connections across campus.

"We have a human verify every vulnerability we find," said Ortiz, who has been at Fordham for 18 years and uses WhiteHat security tools. "We get the data back so we know [what] we’re actually finding … and it definitely weeds out the necessary information."

Creating a centralized IT infrastructure and having staff sort through potential security threats, Ortiz said, can help campus decision makers avoid network breaches that affect the college’s bottom line.

"The long-term effects can be a public relations nightmare," he said. "[Faculty members and students] worry about their data, so they might not want to come to a school knowing that their data is at risk. … In the long run, you lose enrollment and quality of faculty."

The WhiteHat report comes three months after Identity Theft 911, an Arizona-based company founded by consumer advocates and experts from the financial industry and law enforcement, released a report called "America’s Universities: A Hacker’s Dream." That report documents some of the largest recent computer security breaches on college campuses and discusses solutions for IT decision makers and students.

Twenty-seven American colleges and universities saw personal records stolen in the first seven months of 2009, and the report concludes that a "sprawling profusion" of disparate computer networks and servers—each with a different security policy—makes IT departments "powerless to enforce any standards," meaning student grades, credit information, and Social Security numbers remain vulnerable.

Campus IT officials said school networks often are vulnerable because thousands of students and faculty access the networks every day using their laptops or other personal mobile devices.

"Many of those we don’t own, we don’t have any management responsibility for them, and yet they do introduce problems we have to deal with," said Robert Ono, the director of technology security for the University of California at Davis.

Ono said 35,000 computers connect to the campus’s network every day.

Centralizing campus computer networks would require categorization of personal information. In this scenario, data would be separated according to sensitivity level, the Identity Theft 911 report says, adding that no one outside the university’s financial aid department would need to know a student’s Social Security number, for example.

Fohn said the culture of higher education is not conducive to airtight IT security measures. With many campus officials supporting online communication between students and faculty, Fohn said, colleges have hesitated to embrace comprehensive security methods.

"There’s an open nature to colleges, and people chafe against being more restrictive," she said. "I think that’s starting to shift, because people are starting to see the need to guard sensitive personal data."